Sample Vulnerability Assessment
Report
The customer requested an external Penetration Test of its Unclassified network. YoyoDyne was tasked with providing recommendations for technical solutions, process improvements, resolution of major issues and strategy improvements.
A penetration test was conducted by YoyoDyne in two separate 48 hour phases. The first Phase consisted of a blind test, where YoyoDyne was given no prior information about the customers network topology or defenses. During the second phase, YoyoDyne conducted a penetration test with network topology, host information and defense structure provided by the customer.
In most respects the perimeter defense held up. Certain hosts were identified with potential vulnerabilities. Some of these vulnerabilities were corrected immediately after the completion of the test. The major vulnerabilities included DNS servers, FTP servers, and various electronic mail servers.
In the areas tested, the YoyoDyne team determined that most problems identified were easily corrected. A few of those (discussed below) warrant more immediate attention, due to the higher risk of external compromise. Where significant problems were identified, the staff was notified immediately upon completion of the test, and those areas are already identified as being corrected. Each of these areas is also discussed below.
Recommendations are presented in three categories: Technical, Process, and Issues and Strategic Considerations.
Technical Recommendations:
Process Recommendations:
Issues and Strategic Considerations:
Overall, the customer has demonstrated good security practices. The recommendations will help eliminate the weaknesses exposed during our tests.
The detailed information is given as electronic documents in the appendix.
The primary objective of this penetration test was to discover networking and security deficiencies in the customers publically exposed, unclassified, networks.
Once the full testing had been completed, YoyoDyne was expected to provide recommendations for technical and process improvements and assist in resolution of any major security issues and improvement in security strategy.
The audit consisted of two phases, a blind test and an informed test. These tests were preceded by information gathering processes.
YoyoDyne followed an industry standard approach:The testing team used additional tools and methods tailored specifically for the customer's systems.
The following contraints were imposed under the terms of the contract.
These limitations were understandable due to the nature of the customer's business, since some of these options could have the opportunity to severely impact the staff and machines.
Auditing commenced with a data collection phase. The areas of concentration were:
These areas are discussed in the following sections.
Usenet is one of the favorite resources of the social engineer. Usenet posts often contain technical questings revealing network, host, application and security information. Email and Usenet post headers can provide routing information, host names, IP addresses, operating system type and version, and client applications. Personal and Work information including phone numbers, fax numbers, addresses, project assignments can be found. Personal habits, hobbies and and social activity can be discovered and exploited.
An initial host/IP list and network topology was developed almost completely from Usenet posts.
Appendix item 1 contains a summary of information obtained.
Looking up the IP X.X.X.X reveals:
bash-2.03$ whois -h whois.arin.net X.X.X.X
Customer (ID)
111 West Street
Anytown, CA 90210
US
Netname: CUST-NET
Netnumber: X.X.X.X
Coordinator:
Customer Coordinator contact@customer
(800) 555-1212
Domain System inverse mapping provided by:
DNS1.CUSTOMER X.X.X.3
DNS2.CUSTOMER X.X.X.4
Record last updated on 05-Sep-2000.
Database last updated on 27-Nov-2000 06:14:40 EDT.
and a lookup of X.X.X.X reveals:
bash-2.03$ whois -h whois.arin.net Y.Y.Y.Y
Customer (ID2)
111 West Street
Anytown, CA 90210
US
Netname: CUST-NET
Netnumber: Y.Y.Y.Y
Coordinator:
Customer Coordinator contact@customer
(800) 555-1212
Record last updated on 31-Jul-2000.
Database last updated on 27-Nov-2000 06:14:40 EDT.
The significant findings of this data was:
Information provided by a whois lookup, including contact email and phone number, is beneficial to the adept social engineer. ARIN identifies the reserved netblock providing a range of IPs that an attacker can scan. The listing of name servers provides an attacker a starting point with DNS attacks and queries. The lack of an advertised name server for the internal network indicates that name servers must be internal and non-public.
Analysis of the host list provided for the initial selection of targets. Hosts of particular interest included those whos names indicated that they were http, ftp, mail, and dns servers. Hosts whos names indicated that they were particular operating systems, architectures or devices (Sun/Solaris, Linux, FreeBSD, VAX/VMS, Macintosh, various Microsoft operating systems, switches, gateways, firewalls, file servers, print servers and dial-up servers) were targeted.
The dump of dns data also provided information on subnets and subdomains. It offered hints as to the structure of the dns records (capitalized host names). Host names implied functional work areas useful to the social engineer. Many host names included what appeared to be user names in various forms. Hosts with the same name but multiple IPs were also noted.
Appendix item 4 contains data obtained using nslookup. 1359 hosts were identified.
The team started scanning backwards through the address space. It was assumed that scanning the lower IPs would trigger defenses. Backwards scanning would allow the team to gain as much information as possible before discovery. The team stair-stepped through, using multiple spoofed addresses to hide the scanning activity. The spoofed addresses were chosen based on past scanning activities. There was an exception. The team used the address of someone that had reported as scanning the customer's networks a few days before.
The spoofed addresses were very effective. The team verified through tcpdump on separate machines that there is no way to differentiate between spoofed addresses, and actual machines that may be attacking. The scanning triggered specific defenses. It was suspected that scanning activities were being blocked, and verified later. The team stopped scanning when it was determined that it was no longer effective. Scanning triggered defenses as early as it did because attack methods were chosen based on the (mistaken) assumption that the defenses were weaker than they were.
A total of 441 hosts were actively contacted and scanned in Phase I. Appendix item 5 contains this data.
Certain basic assumptions were also modified:
Phase II tools included:
Some tools were specifically modified to bypass the customer's firewall access controls and to evade IDS detection. Traceroute had IPv6 capabilities included with ICMP in an effort to gain access to the inner network, and firewalk had entries removed so that sensitive internal equipment would not be disturbed.
Potential targets for Phase II included:
The team used various packages and attempts against the known FTP servers. Scanned was accomplished through the source port for DNS (53) to bypass filtering, which was effective.
Unfortunately, the FTP exploits used could not get past the filters on the routers. Even though these exploits were ineffective, the machines should still be examined to ensure that the version of wu-ftp is the most recent version. Since exploits against this application are so common, it is recommended that a more secure version of FTP replace this application.
The trust model on the Macintosh is such that it is difficult to exploit, even with an older application. While exploits against Macs are hard to find in the wild, it seems advisable to update the older application we found with a more recent version.
Mail servers and versions were of differing consistency. The most common server type was Unix sendmail.
Sendmail versions varied among machines. Most servers seemed quite up to date. There were only two that would respond to simple VRFY and EXPN commands, although several pretended to. The hosts that responded with real user information were mail1.customer and mail2.customer. It is preferred that valid email addresses are not available to outside users, since it will make it easier for an attacker to guess at passwords, send virus-loaded email messages, or even create mailling lists for spam. Since mail1.customer is one of the main machines, and in fact is an identified FTP server (running wu-ftp), it is suggested that it be configured so that information is not surrendered to outside sources.
Both Macintosh mail servers were visible, but did not respond to VRFY or EXPN.
The team was most concerned to see a machine that seemed to offer multiple services (victim.customer). Most of these vulnerabilities were repaired immediately upon cessation of the penetration test. In general, it is recognized that it is preferable to have servers providing one service only, to lessen the danger of unauthorized access or compromise.
Domain Name System (DNS) provides information about the specific physical location of a machine on the internet. It is used to locate machines in much the same way that a nine-digit zip code is used by the post office to find a particular address. It provides a unique mapping between a physical address and a host name so that a user looking for the mail server only needs to know to send email to first.last@customer, which would then be automatically be translated to username@mail1.customer, or other translations as needed.
Several versions of BIND (Berkeley Internet Name Domain) have had vulnerabilities, and there is always concern that a DNS server might be running one of these vulnerable versions.
Lame server delegations may be entry points for masquerading by criminal intruders or vandals. The servers identified were lame.customer (with bad reverse entries), and victim.customer (with a bad forward entry):
Oct 14 20:49:33 predator named[288]: Lame server on 'victim.customer'
(in 'victim.customer'?): [X.X.X.X].53 'dns1.customer'
Oct 3 20:08:14 predator named[15025]: Lame server on 'X.X.X.X.in-addr.arpa'
(in 'X.X.X.IN-ADDR.ARPA'?): [X.X.X.X].53 'lame.customer'
An enlightened assault on the main DNS servers could render the customer isolated, since they are physically located on the same network as the customer themselves. A clever attacker could masquerade as an entry in one of the questioned blocks, and be accepted on the inner network as a valid packet or group of packets.
Zone transfers, like VRFY on sendmail, give up information that may not be for public consumption. Zone transfers between DNS servers are expected. If a server for the domain CUSTOMER provides a limited zone transfer of data to SUBNET.CUSTOMER servers, it is providing legitimate information that both machines need. This becomes a difficulty if this information is not properly protected. Machines which allow inadvertent or promiscuous zone transfers permit any malefactor on the internet to gain intimate information about the network, such as hidden gateways, filtering routers, and machines names that are otherwise difficult or even impossible to retrieve.
Part of a good security stance suggests that only information which is necessary should be offered, and only to validated recipients. An example of a server at the customer which gives up information to the casual user is below. Note that this command is just asking for machine nicknames (aliases). If it happens that there is a machine that servers as www.subnet.customer, this command will give up the true name of that machine, making it just that much easier for the attacker to attempt a compromise.
This is an example of the zone transfers possible from a specific
server with the customer's network.
> ls -a subnet.customer
[subnet.customer]
www-subnet host1.subnet.customer
macmail mmail.subnet.customer
group1 mac.subnet.customer
macfiles filesvr.subnet.customer
group2 host2.subnet.customer
pcuser host3.subnet.customer
Simple Network Management Protocol (SNMP) is a protocol for managing, monitoring, and configuring network devices such as routers, switches, printers and some hosts. Data is accessed by providing "community strings" which are similar in use to passwords. Certain well known default community strings are used by various vendors of network devices. If these default community strings are left unchanged, an attacker can obtain information about the networks accessible to the device. If the community string has write access to the device, it could be subverted or compromised to the attackers advantage. SNMP information should never be allowed to traverse the enterprise firewall.
Community strings of various types were attempted with machines that would talk SNMP. The team was unsuccessful in obtaining any improper information from these devices. Either SNMP was blocked by the firewall or the team was unable to guess the appropriate SNMP community names.
Secure Shell (SSH) provides secure (encrypted) authentication and remote sessions. SSH is preferred above Telnet or RSH due to its security features. Certain earlier versions of SSH contained vulnerabilities which could allow unauthorized or privileged access to the SSH host. These versions of SSH should be upgraded.
During the audit the team found one machine that refused to handshake due to its version being out of date. This may have been an anomaly, or it may truly be a cause for concern. It is recommended that all machines be surveyed to ensure that none are running older versions of the SSH server.
The following hosts were aggressively investigated during Phase II of the audit. These hosts were of particular interest due to their potential for vulnerabilities. Each of these hosts should be considered for an individual security audit to verify proper patch levels and to upgrade applications as needed. Each entry includes the host name, any services discovered and commentary.
Positive features of customer's perimeter defenses:
This is a strong and effective defense structure, and should be maintained, but the routing rules that were used to block should not be activated without further testing for unexpected effects.
The customer maintains an inner "hidden" network. This network lives in the Y.Y.Y.Y netblock. It is located behind a proxying firewall which in turn is behind the firewall for the public network. Machines on this network have no direct connection to the internet. No externally accessible name servers are provided and routing is (supposedly) not advertised for this network. One would assume that this network could not be reached via the Internet.
The team discovered that a traceroute to the hidden network worked. The traceroute stopped at the filtering router/proxy service for the network but it is assumed that the packets themselves made it to the destination machine inside the network (outbound responses from these machines would have been blocked at the firewall). Since we had been told previously that this route was not advertised, we were naturally quite concerned to discover that it was.
Firewalk is a tool that exploits firewall/router idiosyncrasies to map and gain information about hosts behind firewalls. The team successfully reached a host that was internal to the Y.Y.Y.Y network with firewalk. After firewalk was successful, traceroute was tested, which was when we discovered the inadvertent advertisement of the network to the outside world.
The success of these probes hinged on the fact that routing information to the hidden Y.Y.Y.Y was publically advertised. After discussions with the customer a potential point of information leakage was identified. To maintain its isolation, routing information to the Y.Y.Y.Y network must not be publically advertised. It should be noted that this configuration does not protect from exploits executed from the inside of the network. This includes tunnels, worms or viruses.
Technical recommendations can be summarized as follows (in order of priority):
Process recommendations can be summarized as follows (in order of priority):
Strategic recommendations can be summarized as follows (in order of priority):
Employees should be educated in the risks of social engineering. They should be made aware that posting to public forums from the customer's network discloses information about the internal networks. They should be aware that disclosure of specifics about internal systems, networks or applications places these systems at risk and/or makes them available as potential targets to attackers. Employees should not disclose personal information in public forums such as phone numbers, fax numbers, addresses, or work areas. They should not disclose information about the company organization, reporting structure or internal processes. Public forums are archived in a distributed manner. Once data enters these archives it is impossible to fully remove it. A proactive approach is required.
It is recommended that phone networks are audited, searching for phones being misused as modems, or to make sure that phone lines identified as being connected to fax machines are only answering with fax machines responses, and have not been converted to modem use at night time, or on weekends. War dialing tends to uncover these problems, and to verify that any identified modem bank gives back only the responses expected. If one time passwords are in use, phone audits verify that all known modem lines respond correctly, and that there are no unknown modem lines into the enterprise.
One-time passwords are an effective mechanism to assist in securing a network. We recommend that additional measures be taken to buttress that security. Home users and other off-site users are not under the direct control of the technical staff, and may still cause needless exposure to possible problems. Consider using Kerberos or a similar solution to segregate external users such that any potential damage is limited to specific area.
The following information is contained in online files that are linked from the online document. Due to the voluminous quantity of data, they are not currently available in printed form, except where noted.
This data is comprised of information retrieved online, in the Supplemental directory.
Things of note were two malformed DNS entries, and information about the network itself.
Specific things were tested early, such as evaluation of known web servers.
Other Phase I data is listed in the Supplemental directory, in the directory PhaseI. The sorted list of the viable addresses in the network dump is listed separately. The perl scripts for gathering the data were grab.pl, scandns.pl, and a quick shell script to grab specific multiple addresses. The local DNS server was always used so that any errors would be logged locally (for further information).
Other Phase I data is listed in the Supplemental directory, in the directory PhaseI.
Phase II data, and email records, are in the directory PhaseII.
Phase II data, and email records, are in the directory PhaseII.
These reports and notes are part of the physical package returned to the customer as per the original agreement.
An access control list represents the rule set for controlling access to devices, resources or networks.
Any equipment of an interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, control, display, transmission, or reception of data and includes software, firmware, and hardware.
The American Registry of Internet Numbers (ARIN) maintains a database of all registered IPs for the Americas. Queries to the database can be made using the whois command or via the web.
The log of system events and activities generated by the operating system.
The Border Gateway Protocol (BGP) is an inter-Autonomous System routing protocol. The primary function of a BGP speaking system is to exchange network reachability information with other BGP systems.
A blind test is a penetration test or vulnerability assessment in which the auditors have no (or very limited) knowledge of the system under audit. A blind test assists the customer in evaluating information leakage about their systems or networks. During a penetration test, a blind test simulates an uninformed or outside attacker.
The border router is usually the first defense on the network perimeter of an enterprise. It frequently occupies the network connection just before the initial firewall, and provides filtering service for sanity checks on incoming (and outgoing) network packets.
Action(s) which prevent any part of an AIS from functioning in accordance with its intended purpose.
Denial of service is a type of attack that consumes network or host resources and succeeds in denying those resources to legitimate users. Denial of service attacks usually do not represent a breach in security, but can inhibit the use of hosts or networks under attack. A distributed denial of service (DDoS) attack is a variation of the DoS attack. A DDoS uses a large number of distributed hosts in the attack to consume the resources of a host or network.
The DMZ is an area of a network between the border router and the perimeter defense device (firewall). The DMZ is often used for public servers and provides only limited protection to its hosts.
The domain name system translates host names into numerical IP (Internet Protocol) addresses which computers on the Internet use to communicate with each other. Resource records in the DNS directory are split into files called zones. Zones are kept on authoritative servers distributed all over the Internet, which answer queries according to DNS network protocol.
Assuming the DNS name of another system by either corrupting the name service cache of a victim system, or by compromising a domain name server for a valid domain.
The edge router receives and packetizes traffic and then sends it to other routers and switches in the network. It is used by service providers to segregate traffic bound for specific groups of addresses, and is usually found between the border router(s) surrounding the perimeter of a large network, and the backbone connections to the service provider on the open internet.
An email/network worm transmits itself via email or by exploiting network services. Unlike a virus, a worm usually does not damage the host computer but will co-opt its services to spread itself.
An email virus is a virus that is transmitted via email. It often requires the recipient to execute code on the target machine for infection to begin. The virus may co-opt the hosts mail system to spread itself. Unlike a worm, a virus will cause damage to the infected system.
A filter is a device such as a filtering router. A filter allows for the creation of ACLs to control access to devices, resources or networks. It is usually used to screen open ports, so that only valid data is allowed into, or out of, those ports.
Firewalk is a network auditing tool that attempts to determine what transport protocols a given gateway will pass. It is often used to determine if there are viable host machines on the other side of the firewall or router.
ftp is the user interface to the ARPANET standard File Transfer Protocol. The program allows a user to transfer files to and from a remote network site. It passes usernames and passwords as plaintext, and has a very poor security stance.
High risk implies that the problem identified will likely result in a compromise in the near future, that the problem identified may be taken advantage of by an adversary with a low skill level, or that the compromise will provide significant entry into the enterprise itself.
An informed test is a penetration test or vulnerability assessment in which the auditors have a good understanding of the system under test. Information about the system under test is provided by the customer. During a penetration test, an informed test simulates a knowledgeable attacker.
The technology concerned with monitoring computer systems in order to recognize signs of intrusions or policy violations.
Pertaining to techniques which attempt to detect intrusion into a computer or network by observation of actions, security logs, or audit data. Detection of break-ins or attempts either manually or via software expert systems that operate on logs or other information available on the network.
IP is the protocol on which the Internet is based. Devices using IP are addressed with an IP number.
A lame server is a (DNS) server which has been delegated a DNS zone but is not authoritative for that zone. A lame server can also be a server that claims to be authoritative for a DNS zone when it is not.
Low risk implies that it is unlikely that the problem identified will result in a compromise, or that the compromise will lead to a significant escalation of priviliges.
Medium risk implies that the problem identified might result in a compromise, if the adversary has a good skill level and is determined, or if the compromise would easily lead into a higher level of intrusion.
The nc (or netcat) utility is used for just about anything under the sun involving TCP or UDP. It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and source routing.
A network device is a device which provides network services. These services could include network switching, routing and filtering. Network devices can also include dedicated HTTP, FTP, printing and file servers. Network devices do not usually support users in the same sense that a host would.
A network topology represents the configuration and connections of a network. It is often represented graphically as a network map.
Nmap is a tool designed to allow system administrators and curious individuals to scan large networks to determine which hosts are up and what services they are offering.
Nslookup sends queries to Internet domain name servers. It has two modes: interactive and non-interactive. Interactive mode allows the user to contact servers for information about various hosts and domains or to display a list of hosts in a domain. Non-interactive mode is used to display just the name and requested information for a host or domain.
The portion of security testing in which the evaluators attempt to circumvent the security features of a system. The evaluators may be assumed to use all system design and implementation documentation, which may include listings of system source code, manuals, and circuit diagrams. The evaluators work under the same constraints applied to ordinary users.
A penetration test is similar in scope to a vulnerability assessment but is usually more aggressive in its efforts to simulate an attack
The technique of securing a network by controlling access to all entry and exit points of the network. Usually associated with firewalls and/or filters. Perpetrator The entity from the external environment that is taken to be the cause of a risk. An entity in the external environment that performs an attack, i.e. hacker.
A perimeter defense is a network's first line of defense in its connection to an untrusted network (such as the Internet). This often consists of a firewall or filtering router.
The POP protocol is used to transfer mail saved for a user to the user's computer. Versions 3 and 2 of this protocol are most commonly used.
An interconnection device that is similar to a bridge but serves packets or frames containing certain protocols. Routers link LANs at the network layer.
A router is a device that directs network traffic whose destination is beyond the local network. Through the use of various routing protocols like BGP, OSPF and RIP, a router can determine the most advantageous route for the data.
The technology concerned with scanning computer systems and networks in order to find security vulnerabilities. Nessus, nmap, and strobe are all well known scanners.
Scanning, as a method for discovering exploitable communication channels, has been around for ages. The idea is to probe as many listeners as possible, and keep track of the ones that are receptive or useful to your particular need. Much of the field of advertising is based on this paradigm, and the "to current resident" brute force style of bulk mail is an almost perfect parallel to what we will discuss. Just stick a message in every mailbox and wait for the responses to trickle back.
Scanning entered the h/p world along with the phone systems. Here we have this tremendous global telecommunications network, all reachable through codes on our telephone. Millions of numbers are reachable locally, yet we may only be interested in 0.5% of these numbers, perhaps those that answer with a carrier.
The logical solution to finding those numbers that interest us is to try them all. Thus the field of "wardialing" arose. Excellent programs like Toneloc were developed to facilitate the probing of entire exchanges and more. The basic idea is simple. If you dial a number and your modem gives you a CONNECT, you record it. Otherwise the computer hangs up and tirelessly dials the next one.
A search through a computer system for security problems and vulnerabilities. A security audit is a process which evaluates and assesses the security of a network, host or enterprise.
Sendmail sends a message to one or more recipients, routing the message over whatever networks are necessary. Sendmail does internetwork forwarding as necessary to deliver the message to the correct place. Sendmail is a Unix-based Mail Transport Agent.
SMTP is a protocol used to transfer email from one host to another. Commands are in a human readable form. For example the VRFY command (if enabled) will verify the existence of a user mail box on a host. The EXPN command will expand a mail box alias to reveal the true recipient of an email.
Simple Network Management Protocol (SNMP) is a protocol for managing, monitoring, and configuring network devices such as routers, switches, printers and some hosts. Data is accessed by providing "community strings" which are similar in use to passwords.
A computer criminal or vandal will use the easiest method to gain access to the desired data or machines. These methods may include pretending to be an employee who has forgotten a password, casually viewing passwords entered carelessly by authorized users, or by other means where the natural trust of people is taken advantage of. These methods work just as well inside or outside the enterprise. A disgruntled employee using the account of his office mate to gain inappropriate access to data after hours can be just as dangerous as the corporate spy or computer vandal.
Spoof refers to fake of forged information or communications. For example, spoofed IPs or packets consist of network packets that are generated by one host but are forged with the IP address of another host.
Secure shell provides secure (encrypted) authentication and remote sessions. SSH is preferred above Telnet or RSH due to its security features. It uses either a host key, or a long pass phrase, or both, in its authentication mechanism.
Secure Sockets Layer is a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that's transferred over the SSL connection. It provides authentication and confidentiality to applications.
Tcpdump prints out the headers of packets on a network interface that match a boolean expression. It is a common tool used for network analysis
The telnet command is used to communicate with another host using the TELNET protocol. It is a part of the TCP/IP protocol, and operates entirely in clear text. This means that it is especially vulnerable to attackers, and can easily be subverted to an attacker's purpose.
An operation of sending trace packets for determining information; traces the route of UDP packets for the local host to a remote host. Normally traceroute displays the time and location of the route taken to reach its destination computer.
Traceroute prints the route packets take to network host. traceroute utilizes the IP protocol `time to live' field and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to some host.
An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data. It is a executable program that is disguised as something innocuous such as a game, amusement, or common system command. Once executed it can install services or modify the system to allow an attacker access to the host.
Examples of trojans are Back Orifice, NetBus, and SubSeven.
A trust model represents the trust relationships between an organization or a network with other organizations or networks.
An upstream provider is an Internet Service Provider (ISP) that provides network connectivity and routing to the Internet through dedicated high speed connections. An upstream provider usually provides access to one of the major Internet backbones, or is a major backbone provider.
Usenet is an online, public and distributed forum. Usenet consists of a large hierarchy of news groups. Archives of these news groups provide a wealth of information for the social engineer.
A virtual private network is a secure network in which data may traverse insecure or untrusted networks. The security of this network data is protected by encryption and authentication protocols. A VPN is often used to connect two private networks via an Internet connection.
Systematic examination of an AIS or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
Whois searches for an Internet directory entry for an identifier which is either a name (such as ``Smith'') or a handle (such as ``SRI-NIC''). The default action, unless directed otherwise with a special name, is to do a very broad search, looking for matches to name in all types of records and most fields (name, nicknames, hostname, net address, etc.) in the database.
A zone transfer occurs when an authoritative DNS server provides its zone data to another server. Proper zone transfers occur when secondary DNS servers replicate zone information from a primary server. Promiscuous zone transfers can divulge the internal structure of a network and are a security concern. Zone transfers requested by unauthenticated or unauthorized users should not be permitted.
Last modified: Sat Oct 30 22:55:41 PDT 2004